Cyber Brief: Router hijacks, WordPress flaws, ransomware

Today’s cyber picture is a reminder that attackers are still finding success through exposed infrastructure, lightly managed web assets and supplier dependencies. We have fresh warnings around router compromise and industrial targeting, active exploitation affecting widely used WordPress tooling, and ransomware disruption hitting a major healthcare software provider. For most organisations, the lesson is the same: internet-facing exposure and third-party resilience still need close attention.

Router hijacks and exposed infrastructure remain a live risk

New reporting and agency warnings this week have put exposed edge devices and operational environments back in focus. US authorities warned that Iranian-affiliated actors have increased activity against exposed industrial control environments, while UK and US action has also highlighted ongoing router exploitation and DNS hijacking activity linked to APT28. The concern here is not just espionage. In several cases, these campaigns create real operational risk by giving attackers a route to intercept traffic, steal credentials, or interfere with connected systems.

For businesses, this is a practical reminder that routers, firewalls, remote access appliances and internet-facing management interfaces need the same scrutiny as servers and endpoints. If they are exposed, unpatched or poorly monitored, they can give attackers a quiet route into the wider organisation. Stronger access controls, patching discipline and a clear view of external exposure still go a long way here.

Active WordPress exploitation shows how quickly website risk becomes business risk

Attackers are actively exploiting a critical flaw in the Ninja Forms File Upload component for WordPress, with security reporting showing attack activity already underway. The vulnerability affects versions up to 3.3.26 and can allow unauthenticated arbitrary file upload, creating a path to compromise public-facing websites. With broad usage across WordPress environments, this is exactly the type of issue that can affect campaign sites, customer portals and business websites that sit outside more formal patching processes.

It is another strong example of why website security cannot be treated as separate from core security. Public-facing sites are often one of the easiest paths in, particularly where plugins have accumulated over time and ownership is split between marketing, development and IT. Immediate patching, checking for suspicious uploads, and tightening admin access should be high on the list for any affected organisation.

Healthcare supplier ransomware highlights third-party resilience concerns

Dutch healthcare software supplier ChipSoft has reportedly been hit by ransomware, with disruption affecting a provider used by a large share of hospitals in the Netherlands. Incidents like this matter beyond the directly affected supplier because they show how quickly third-party cyber disruption can become an operational issue for customers. When one platform supports critical workflows across a sector, the knock-on impact can spread fast even before the full technical details are known.

That is a useful reminder for any organisation relying on a concentrated set of providers for finance, operations, communications or service delivery. Supplier due diligence is important, but so is knowing what happens if a critical vendor becomes unavailable. Incident communications, fallback processes and continuity planning all need to reflect that reality.

Why it matters

Today’s stories all point back to a familiar issue: resilience depends on understanding exposure before an incident starts. Whether it is an exposed router, an outdated plugin or a supplier outage, the organisations in the strongest position are the ones that already know their risks, have reduced avoidable weaknesses and have workable plans in place if disruption hits.

Today’s Key Actions

• Review internet-facing routers, firewalls, VPNs and remote management interfaces for unnecessary exposure.
• Patch affected WordPress components immediately and review public-facing sites for suspicious file activity.
• Strengthen access controls for edge devices and enforce multi-factor authentication wherever possible.
• Check that supplier incident response and continuity plans cover disruption to critical third parties.
• Make sure operational and security teams have a clear view of external exposure across core systems.

Secarma Insight

Cyber resilience is rarely about one dramatic failure. More often, it comes down to small gaps that stay unaddressed for too long, whether that is an exposed device, an overlooked web component or an untested dependency on a supplier. The organisations that handle these situations best are usually the ones that have already taken time to understand their environment, reduce avoidable risk and test how they would respond if something goes wrong. That is where clear advice, practical testing and a proactive security approach make a real difference.